Redirects->Trojans->0Access->No Internet

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rockyjo, Apr 12, 2012.

  1. rockyjo

    rockyjo Private E-2

    Hi,
    I'd appreciate your help (that is an understatement). I'm using Gateway pc (old, slow puppy), with xp pro and ie. About 3 days ago the pc experienced 2 redirects. At that point, I ran updated mbam, which found and (I thought) corrected problem: my notes show files it found including: c:\windows\system32\drivers\2900991drv.sys; c:\windows\systemroot\syst32\2900991drv.sys; c:\windows\system32\ping.exe. Cleaned. Re-ram mbam and seemed to be every time a few files popping up like they were reincubating. Changed to Kaspersky (thought I got tdsskiller but got their other broad-based cleaner, can't think of the name): identified virus.win32.ZAccess.k and picked up (same lead...)drivers\mrxsmb.sys; cleaned, reran and identified virus.win32.ZAccess.c, picked up: i804prt.sys; ...drivers\netbt.sys; ...drivers\redbook.sys; cleaned and reran and it began to also go through a loop--identify, clean re-run, new variants show up, example: it would clean the redbook.sys, reboot, re-run and it showed up again, or started the circle again, back to mrxsmb.sys. Switched to Superspyware (online): it identified Trojan.agent/Gen-Proxybot; Trojan.agent/Gen-Sirefef; Trojan.VXGame-Variant/D and Adware.Tracking Cookies--I did as recommended to clean those and it appeared to, but knocked out internet access. Downloaded (from this pc and ported), ran tdsskiller: identified Backdoor.MultiZAccess (which I deleted as instructed) and win32ZAcess.C (which I "cured" as instructed). Re-ran Superspyware and tdsskiller several times and both "ran clean". But mbam stopped in the middle, so still suspicious, and still no internet.
    So found the page(s) on your site for doing cleaning, checks, and prepwork for a forum post, here's the info on what you ask for: 1)mbam won't run (unfortunately I uninstalled the earlier mbam and reinstalled in case it was infected so I don't have the original reports), 2) superspyware first time through was online version and I didn't see anywhere to grab/keep/copy a report, so unfortunately don't have report but hopefully my notes give help, 3) sending tdsskiller reports, 4) couldn't flush the dns cache - "an internal error occurred: The request is not supported". I did the rest of the stuff and it is ready. 'Don't know that much about routers/modems so I need some more help there if that's an issue. I'm using the same dsl modem for this pc which is not the sick puppy. 5) Since internet nogo on the other pc, I'm porting over software...Combofix (after several clean superspyware and tdsskiller scans said, "You are infected with Rootkit.ZeroAcess! In tcp/ip stack. If for any reason that you're unable to connect to the internet after running Combofix, reboot once and see if that fixes it" (I was already unable to access internet). "If it's not fixed, run Combofix one more time." "Rootkit is detected." "Be patient as this may take some moments." Then Cfix halted. No stages run. Eventually I did a cold boot. I didn't run Cfix again but moved on. 6) Root Repeal - ran and created a file but it's virtually empty: the screen said "Hidden/locked files: 0", but I see that the report results just say "Hidden/locked files" with nothing else. So I am not uploading that but can if you want to see that with headers. 7) MGTools - ran and uploaded; I see that it picked up the tdsskiller logs so I will not send those separately.

    In addition to the 0access mess that I've been unable to oust, I have a few questions, please: 1) the online superspyware supposedly eliminated/cured a bunch of junk, but I cannot find where it put the quarantine-type files on my pc so I can get rid of them at some point, 2) How do I disinfect this thumb drive where I'm porting files back and forth--I'm beginning to be concerned about contagion. This pc uses avg, I've run it a few times over the past few days and it picks up files in the Recycler file which look like fairly normal tracking cookies for the most part, but... I'd feel more comfortable if I knew this (healthy) one was clean of the stuff that hides, b4 I might have a growing, double problem; suggestions? 3) Sick puppy has a tdsskiller_quarantine file that is a real dirty diaper—how do I get rid of that; can you just delete the file, or can that spread the stench?

    Thank you, I really appreciate your help. Sorry for the length, thought you'd want to know the path. So far, it's beginning to feel like what seemed to be "make-sense" steps toward correction may have just dug the hole deeper, or there is/was just a lot there, hiding.

    No BSODs, at least. Oh, I did try to get on the 'net with it via safe mode; no go.

    Rockyjo
    (files coming next)
     
    Last edited: Apr 12, 2012
  2. rockyjo

    rockyjo Private E-2

    Files attached:
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hello rockyjo,

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Java 2 Runtime Environment Standard Edition v1.3
    • Java(TM) 6 Update 12

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      /md5start
      afd.sys
      i8042prt.sys
      ipsec.sys
      netbt.sys
      svchost.exe
      tcpip.sys
      /md5stop
      %windir%\$ntuninstallkb*. /30
      %windir%\system32\drivers\*.sys /lockedfiles
      %windir%\*.* /mp
      %windir%\*.* /rp
      %windir%\*.* /sl
      %systemdrive%\mgtools\*.*
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  4. rockyjo

    rockyjo Private E-2

    Hello thisisu,

    Thanks for your help. OTL file attached.

    BTW, I see it noted a file called "vintagetim.exe"; that is OldTimer; I often rename these diagnostic/fix tools in case the malware is set for the standard name and causes it to fail. So ifa file sounds like a reworked name for a diagnostic/fix, it may well be...just ask.

    Rockyjo
     

    Attached Files:

    • OTL.Txt
      File size:
      283.2 KB
      Views:
      6
  5. thisisu

    thisisu Malware Consultant

    I would prefer if you ran this fix while in Safe Mode with Networking for the highest chance of success.
    See: How to start your computer in Safe mode with Networking

    Attached is OTLfix.txt
    Download and transfer this file over to the infected computer.

    [​IMG] Now reopen OTL
    Then drag OTLfix.txt into the [​IMG] text-field.
    You should see a bunch of text transferred over into the text-field.
    Now click the [​IMG] button.
    The fix will require a reboot. Allow the computer to reboot into Normal Mode (not Safe Mode with Networking again)
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    __

    Test for an internet connection at this time but continue with the below regardless:

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     

    Attached Files:

  6. rockyjo

    rockyjo Private E-2

    Well, just saw there was another file created with OTL, extras.txt, so it is attached. Will upload and then see your post.
    RJ
     

    Attached Files:

  7. rockyjo

    rockyjo Private E-2

    Thx for next step; will do your next post after 10pm MST 2nite.
    RJ
     
  8. rockyjo

    rockyjo Private E-2

    thisisu,

    Ran otl with otlfix in safe mode with networking.

    Nice!! Internet connection back!

    Started .bat file, got this: "C:\Windows\system32\cmd.exe
    C:\Progra~1\\Symantec\S32Evnt1.dll. An installable Virtual Device Driver failed DII initialization. Choose 'Close' to terminate the application."
    Last time I chose "ignore" and it ran, so did so again.

    Both procedures ran so both files attached.

    Could you give me a bit of info of what you're finding so I can be a little more educated?

    RJ
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

    Glad to hear it :)

    Here are the next steps:

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Malwarebytes' Anti-Malware version 1.51.1.1800 (outdated)

    [​IMG] Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run


    [​IMG] Follow the instructions here on running a scan with the latest version and definitions of Malwarebytes' Anti-Malware: Using Malwarebytes Anti-Malware


    [​IMG] Attempt to run ComboFix using these directions:
    Please note, the below instructions are intended that ComboFix is named: ComboFix.exe. If you previously renamed it, set it back to ComboFix.exe for these steps.
    • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
    • This opens the Run dialog box.
    • Copy and paste the below text inside the text-field:
      • "%userprofile%\desktop\ComboFix" /killall
    • Now press ENTER
    • ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
    • Attach C:\ComboFix.txt if it was successful. (How to attach)


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Let me know how the system is running after you have completed these steps.

    By the way, you should start looking into freeing up some hard drive space. You're around 13% free space. Would be better for you if you were above 20% free.

    Found this article you may like to try: http://www.symantec.com/business/support/index?page=content&id=TECH100470

    Sure, but complete the above steps first :)
     
  10. rockyjo

    rockyjo Private E-2

    Hi thisisu,

    I will be working on these next steps. In the meantime, from my first email, I am also concerned that some porting between pcs may have infected the "healthy" pc, which is the laptop.

    It starts slower than ever now, and seems to be running slower, but I could be imagining the latter under the circumstances. AVG says clean, but so did a lot of software on the sick puppy.

    Should I run Combofox on the laptop to see if it undercovers anything?

    RJ
     
  11. rockyjo

    rockyjo Private E-2

    thisisu,

    Should I get rid of the previous tdsskiller b4 downloading and running new? Trouble is, I don't know where it is...?

    I do have this old quarantine file with tdsskiller-dug-up junk; should I also get rid of that first, and if so, how? Just delete the file?

    RJ
     
  12. thisisu

    thisisu Malware Consultant

    ZeroAccess itself does not spread to other devices. However I won't know if you had more than just this infection until you attach the rest of the logs.

    We don't recommend starting the malware removal process with ComboFix. Refer back to the Read and Run Me First thread.[/QUOTE]
     
  13. thisisu

    thisisu Malware Consultant

    This isn't necessary, but you should try to find it so it's not just lingering on your PC.

    In the meantime, just download a NEW copy of tdsskiller.exe onto the desktop of the infected computer. Then run it using the instructions I pointed you to.

    You can safely leave this alone for now. Once we get to the final cleanup steps, we will be deleting these as well as the rest of the tools used for the malware removal process.
     
  14. rockyjo

    rockyjo Private E-2

    thisisu,

    Well, I guess we get to stick with the sick puppy for the time being: got down to the Cfix and the exact same thing happened as last time (first note in forum). It locked and I will have to do a cold boot. So you wanted to know exactly what happened:
    1) I clicked on "I agree" to the EULA;
    2) CFix extracted its files;
    3) c:\ window opens
    4) Said "Combofix is preparing to run."
    5) "Attempting to create new System Restore point.
    6) Backing up registry; 11 files.
    7) CFix says no MS Recovery Console installed; I clicked "yes" to have Cfix download and install.
    8) Installing Recov Console, "please click 'yes' to EULA"; has an "OK" so I clicked, then clicked 'yes'.
    9) Connecting to download.microsoft.com; Recovery Console installed successfully.
    10) Back to CFix, says "scanning."
    11) CFix window comes up, says "You are infected with Rootkit Zero Access. It has inserted itself into tcp/ip stack. If for any reason you are unable to connect to internet after running CFix, reboot once and see if that fixes it. If it's not fixed, run CFIX one more time." And it gives you and "OK" box; given that you're not supposed to touch anything while using CFix, I did nothing with the box. A little while later, a window comes up that says "Rootkit is detected. Be patient as this may take some moments." And another "OK" box. Again I didn't touch it. All the while up to this point the cpu has been working, chewing, whatever word we want to give it. Now, the cpu goes silent. And as suspected (because identical to last time), the mouse is frozen, etc., and will require a cold boot. Just to be clear, all of these steps that CFix took are identical to the first time.

    The procedures up to this point did produce the logs you are looking for (I just went on with tdss and it ran fine). mbam found some stuff it kicked out; tdsskiller found 7 things to skip; nothing else for either. All of the steps to run these scans were also the same as the first time, as I ran them off of majorgeeks instructions, except that the first time I ran a full mbam scan, not quick scan. Neither identified zeroaccess.

    I will cold boot, try to get the log files already run, and run MGTools, and see if internet still works.

    RJ
     
  15. rockyjo

    rockyjo Private E-2

    thisisu,

    PC still has internet, fortunately; however, it is noticeably slower getting on now than it was b4 running CFix.

    On that ...symantec... virtual device driver thing; symantec hasn't been on the pc for years, so anything that says symantec is a leftover. So is this virtual device driver something the pc needs and I should do the first steps in your link to fix it, or it is part of symantec and wait to clean up these leftover bits of anti-virus software that don't uninstall? From looking at the logs b4 they go to you, I am surprised that there seem to be a lot of "leftover" bits of various antivirus software from various companies that does not show up in Add/Remove Progs nor Explore. Should I proceed to do the initial steps in your link to restore the virtual device driver, or it will be resolved when we cull at old stuff at the end?

    Yes, it is low on hard drive space. Funny thing is, pc is used for checking emails, news, and one other directory. It is very difficult to know what you can get rid of or what is needed by something else for the pc to run. Two directories that are probably hogs can be removed but they require very specific steps, not just add/remove (thanks a lot software developers!), but I will take a look later today and see what I can do.

    Thanks,
    RJ

    PS. I'm now on the wrong pc to get the logs to you, so next post...
     
  16. rockyjo

    rockyjo Private E-2

    logs...
     

    Attached Files:

  17. rockyjo

    rockyjo Private E-2

    Well, I have 1 clarification: the hollowed out circle (that is not bolded) in front of your CFix command code; to me it looked like and indent symbol so I didn't include it with the code in CFix; was I supposed to? Sorry if I didn't, so please advise, and I'll run again with it.
    RJ
     
  18. thisisu

    thisisu Malware Consultant

    Download and run Norton_Removal_Tool.exe

    __

    Download and run the following tool: yorkyt.exe by Panda Security

    • Download it to your desktop and run it.

    [​IMG]
    • Yes, restart
    [​IMG]
    • Let it restart again.
    [​IMG]
    • Be patient as the tool is working after the 2nd reboot.
    [​IMG]
    • When you see the above, the tool has finished running. Click OK.
    • Attach the Yorkyt.exe.log to your next message (it will be in the same directory the tool was run from). (How to attach)

    __

    No.
     
  19. rockyjo

    rockyjo Private E-2

    Here comes...
     

    Attached Files:

  20. thisisu

    thisisu Malware Consultant

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    __

    Let me know what problems remain.
     
  21. thisisu

    thisisu Malware Consultant

    The main problem that was preventing you from accessing the internet was that the IPSec service was corrupt / damaged and ipsec.sys was missing at c:\windows\system32\drivers

    I also cleaned up the mess up this variant of ZeroAccess causes to NetSvcs.

    By the way, can you attach this file which has been quarantined for further analysis?
    • C:\_OTL\MovedFiles\04142012_221219\C_WINDOWS\svcs.exe
    Zip it up and then attach it to your next post.

    Thanks
     
  22. rockyjo

    rockyjo Private E-2

    Hi thisisus,

    1) Rec'd the same "symantec"-related error message at the outset of running getlogs.bat again; I "ignored" again.

    2) On the laptop, which relates to the original problem on the vintage sick puppy, I asked about running Combofix on it at the beginning because mbytes, sas, kaspersky, tdsskiller and for that matter avg coasted right over the zeroaccess several times, either without identifying it at all or giving indication that it was fixed/repaired/removed, when it wasn't; Cfix was the only one to identify it (until we tried panda), and then it aborted. "Read me first" steps were what I did first with the sick puppy b4 posting, and that didn't do the job; could have had many believe it was gone, actually. Maybe I should use the panda routine first?

    More after uploads...
     
  23. rockyjo

    rockyjo Private E-2

    PS. On symantec, the pc had a corporate version ("corporate" was the name); it wasn't listed in the tool you gave me a link for but I hoped it would take care of it anyway; apparently not.

    3) I guess I don't know how to zip up a file, I never have occasion to do it; please advise.

    4) So are you thinking zeroaccess is gone now? I saw that panda found some malware drivers...

    RJ
     

    Attached Files:

  24. thisisu

    thisisu Malware Consultant

    I am attaching the corporate symantec removal tool.

    Reviewing your logs now.
     

    Attached Files:

  25. thisisu

    thisisu Malware Consultant

  26. thisisu

    thisisu Malware Consultant

    Yes it's gone now. Your latest logs look clean but you should delete this empty folder:

    C:\WINDOWS\$NtUninstallKB21289$

    Also, you only had the ZeroAccess infection. You don't have to worry about the other PC you were using to upload logs being infected because of this one.

    __

    If the Symantec NoNAV removal tool does not fix that error you are getting, try what is suggested in this article: http://www.symantec.com/business/support/index?page=content&id=TECH100470
     
    Last edited: Apr 16, 2012
  27. rockyjo

    rockyjo Private E-2

    thisisu,

    Running the removal tool now; said it would need to restart but isn't doing that. I believe I will wait longer and then do a manual reboot.

    Perhaps you'll see this at your next response: 1) should I start cleaning out user-installed files to increase disk space and RAM now, or wait 'til we're done? 2) on that note, could you send links to best ways to do that? I have looked on this site and those instructions are probably there, but I haven't found them. ('Don't want to just web search, prefer to use a trusted site.) For example, there is nothing in the startup box on my pcs; nevertheless, task mgr always shows (many) questionable files (for most pc users); and control-panel-admin tools-services has a whole host of routines that seem like they could be set to "manual" instead of automatic--but how to know which, or if they're even RAM hogs separately or in total? And, I don't need 47 extra languages of anything, nor sample files of anything, etc.--is there a link(s) you guys know about that explains what you can remove, without having to do a search on every unknown file name and then guess if it's essential? Anything to make the process more efficient. Also, could you advise how to rank user-created files on the whole drive by size? I know I can do it within folders, but if I could rank them for the whole c: drive at once it might be more efficient.

    Symantec tool did not reboot so I will.

    More later,
    Thanks much.
    RJ
     
  28. rockyjo

    rockyjo Private E-2

    C:\WINDOWS\$NtUninstallKB21289$
    In this, I show folder: 3530260802, within that, folders: L which has file eiintoqb with no extension, 159 kb; and folder U which is empty.

    Just reconfirming, I should delete this whole thing?
     
  29. thisisu

    thisisu Malware Consultant

    Yes, try to. The Panda tool should have emptied it but apparently not.
     
  30. rockyjo

    rockyjo Private E-2

    thisisu,

    Yes, that file deleted fine, and the corporate tool worked as I ran mgtools .bat again and did not receive the symantec message. Thank you!

    Working on the zip upload next.

    RJ
     
  31. rockyjo

    rockyjo Private E-2

    Here comes...
     
    Last edited by a moderator: Apr 16, 2012
  32. thisisu

    thisisu Malware Consultant

    Got it thanks. Removing your attachment now.

    How is the computer running now? Are you ready for final steps?
     
  33. rockyjo

    rockyjo Private E-2

    Hi thisisu,

    Could I give it a whirl for a day and get back with you tomorrow a.m.? (I think the malware is gone :) :) :) but I hesitate to conclude that without using a little more at least.)

    In the meantime, any advice from one of my last posts on efficient clean out?

    Another example: Under Prog Files, can I safely remove folders: Movie Maker, MSN Gaming Zone, Outlook Express? Never use and never intend to use any of those (I use Outlook, do I need express too?) Also, MSXML 6.0, Netmeeting, and Online Services look questionable.

    PC needs update (after we're done) to sp3, add back java, adobe reader, do other updates, add back av, but concerned that even updating to sp3 will overwhelm the pc...

    And it needs a "light on resources" preferably freeware av--ideas?

    Any help would be appreciated, immensely :) .

    RJ
     
  34. thisisu

    thisisu Malware Consultant

    Not a problem.

    No. This is not the way to go about this. After a second glance of your logs:
    Code:
    Drive	C:	
    Description	Local Fixed Disk	
    [B]Size[/B]	[B][COLOR="Red"]12.64 GB[/COLOR][/B] (13,571,678,208 bytes)	
    Free Space	2.02 GB (2,169,413,632 bytes)	
    Disregard my previous messages about freeing up space since the hard drive itself does not have much space.

    This PC is pretty old, 10 years+? It's still fine for just surfing the net and checking emails but I wouldn't recommend doing much else with it.

    Microsoft Security Essentials
    Code:
    Total Physical Memory	384.00 MB
    I don't recommend running an antivirus if you're running this amount of memory (it's a low amount for today's standards).

    It's better than nothing sure, but I do not think the potential slow down is worth it.

    What problems is your other computer having?
     
  35. rockyjo

    rockyjo Private E-2

    Hello thisisu,

    Sorry for the long departure, the week sped.

    1) On the pc we've been working on, I would like to run either Cfix or Panda once more just to make sure it doesn't pick up anything, since those were the only two that did before, but I haven't done it yet until I hear from you.

    I have only rec'd 1 error message on that computer in a week and no redirects (I only use it for specific, narrow, routine tasks), so I believe the 0access is gone! Thank you hundreds! I will post the error message when I'm there.

    Per previous comment, there are files that can be removed from the hard drive to free up substantial space. 'Can't do anything about mem size at this point. I would like to protect it if possible; does av require "a lot" of memory?

    On related subject of memory, though not having to do with av, when one is using the net, is there a way to clear working memory real time, rather than exit the internet and return?

    2) On the other hand, I do believe the laptop caught something while we were working on the other pc, since it started the time of cleaning the other pc and porting files back and forth; I feel like that's when the bug arrived. Laptop is also xp pro, however sp3, ie, avg. Not sure what it is: no redirects, extremely slow getting onto the net and using the net; several times it just gave the "no connect" screen; checked task mgr once for System, cpu 0, memory 111,488, and System Idle, cpu 99, memory 16. Receive avg messages that ie is taking too much memory. Unfortunately, also rec'd a BSOD, that Win attributed to WLANUHN.sys, page-fault-in-nonpaged-area. I wrote down the other x00... codes when this happened as well; let me know if you want them. As advised by Win, rebooted and Win came up normally.

    Win also attributed it to newly installed hardware, or Win updates that hadn't been done, or virus. There is no newly installed hardware, or software other than avg updates. I checked Win for updates and there are no high priority updates that the pc needs; there were some optional hardware and software--was going to do those but thought I should wait for instruction(s) on what to do first. So perhaps virus/trojan. Read me first reports? Get back in line with this pc? Please advise.

    Thank you.
    RJ
     
  36. thisisu

    thisisu Malware Consultant

    Hi. No problem. :)

    You can run either or if you'd like. For ComboFix, do not use a CFScript.txt. Just run it normally.

    K, let me know the error message. You're welcome again :)

    It depends on the Antivirus chosen to install. I think MSE is one of the "lightest" ones but I don't know the actual requirements. I would just install it and see if the PC becomes unbearable with 384MB.

    Exit out of processes and stop services that you aren't using that are running in the background. It requires some knowledge to know what processes are for what programs, which services control what programs, etc. These types of "tweaks" unfortunately are not the scope of this forum. I wish we had a "Tweaking" section, I know I'd be using it ;) Your best bet in the meantime would be to ask for advice in the Software forum.

    WLANUHN.sys is related to Wireless-N-USB-Adapter. I don't need the tech code since it provided the driver file associated to the BSOD.

    You can run through the Read and Run Me first on the other PC if you'd like. However, if you still have trouble afterwards, create a new thread (don't post information from the second PC in this thread) describing the problems you are experiencing.
     
  37. rockyjo

    rockyjo Private E-2

    Hi thisisu,

    Here's the error message from the pc we've been working on, on exiting creative media player:
    CTCMSU.exe Application error
    The instruction at "0x0748350e" referenced memory at "0x06832268". The memory could not be "read." Click OK to terminate the program.

    I will get back with you after running CFix, but could put this up now so am.

    Rockyjo
     
  38. thisisu

    thisisu Malware Consultant

    Ok, is this error message just recently start appearing or has it been there for a while?
    I will wait for your ComboFix log :)
     
  39. rockyjo

    rockyjo Private E-2

    Hello thisisu,

    1) I don't know the answer to your question. I haven't used the sound in awhile as it hasn't been working so don't know if I had tried to, if/when I would have rec'd an error message. Since it looked like we were successfully finishing, thought I'd get in line on that subject in the Software section as thought it would take a while to get to the top of the list. I rec'd feedback right away and had been working on that during the time I wanted to test out my pc to get an opinion if it was fixed from what we've been working on. So I don't know if the error message would have popped up before we started or not.

    2) Am running CFix and unfortunately it stopped; appears to have stalled before it began, similar to b4. Process: I clicked on the CFix icon on my desktop, it updated to newer version, started, and I have "Scanning for infected files... This typically doesn't take more than 10 minutes
    However, scan times for badly infected machines may easily double" and I could hear the cpu chewing for awhile and now nothing. It did not go through any layers. Same as when we first started or somewhere in the middle. Bummer. PC is frozen. So looks like a cold boot is required.

    Please advise.

    Rockyjo

    PS. Thanks for your patience; I am back on this multi-times daily again until it is finished.
     
  40. thisisu

    thisisu Malware Consultant

    I do not think you have anything to worry about as your logs are clean but you can reboot into Safe Mode and retry ComboFix from there if you'd like. It does not work on all systems though so you may want to try the Panda tool again since you had success with that before.
     
  41. rockyjo

    rockyjo Private E-2

    For both Panda and CFix, in order to re-run, is it correct to click on the downloaded exec file on the desktop just like the first time (when it unloads its files onto your system), or is there some file you should click on in c: that starts the program(s)?

    RJ
     
  42. thisisu

    thisisu Malware Consultant

    Yes this is correct.
     
  43. rockyjo

    rockyjo Private E-2

    thisu,

    Panda ZAcess Tool said "detected and requested some bad files" and now I'm trying to find the log file. Will upload when found or if you see this quickly, where do I find the log file?

    RJ
     
  44. thisisu

    thisisu Malware Consultant

    The log file will be on the same location the tool was run from.

    So if you ran the tool from your desktop, the log will also be on your desktop.
    Its name is yorkyt.exe.log
     
  45. rockyjo

    rockyjo Private E-2

    Thanks. Looks like it appended it to the first run...
    RJ
     

    Attached Files:

  46. thisisu

    thisisu Malware Consultant

    Yes but it's clean :)
     
  47. rockyjo

    rockyjo Private E-2

    Hi thisisu,

    So what are all those dsalfkjg;dslkhgkashd that it lists? How do I fix those?

    RJ
     
  48. rockyjo

    rockyjo Private E-2

    And what is the problem that caused CFix to freeze like when it was infected, prior to when we got a log from CFix?

    RJ
     
  49. thisisu

    thisisu Malware Consultant

    I don't know but you were never able to run ComboFix. I think it may have something to do with the low amount of resources your PC has.
     
  50. thisisu

    thisisu Malware Consultant

    Are you referring to this?

    Code:
    2012-04-15 18:54:32: Listing processes...
    2012-04-15 18:54:32:    :[System Process]:0
    2012-04-15 18:54:32:    :System:4
    2012-04-15 18:54:32:    :smss.exe:480
    2012-04-15 18:54:32:    :csrss.exe:540
    2012-04-15 18:54:32:    :winlogon.exe:568
    2012-04-15 18:54:32:    :services.exe:616
    2012-04-15 18:54:32:    :lsass.exe:632
    2012-04-15 18:54:32:    :svchost.exe:796
    2012-04-15 18:54:32:    :svchost.exe:892
    2012-04-15 18:54:32:    :svchost.exe:976
    2012-04-15 18:54:32:    :svchost.exe:1132
    2012-04-15 18:54:32:    :svchost.exe:1248
    2012-04-15 18:54:32:    :spoolsv.exe:1388
    2012-04-15 18:54:32:    :svchost.exe:1488
    2012-04-15 18:54:32:    :CTSVCCDA.EXE:1528
    2012-04-15 18:54:32:    :mbamservice.exe:1568
    2012-04-15 18:54:32:    :nvsvc32.exe:1624
    2012-04-15 18:54:32:    :wdfmgr.exe:1668
    2012-04-15 18:54:32:    :wuauclt.exe:1828
    2012-04-15 18:54:32:    :alg.exe:2020
    2012-04-15 18:54:32:    :wscntfy.exe:1060
    2012-04-15 18:54:32:    :explorer.exe:1292
    2012-04-15 18:54:32:    :wmiprvse.exe:1744
    2012-04-15 18:54:32:    :yorkyt.exe:1620
    These are processes. None of them are bad.

    What actual malware related problems are you having with your PC?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds